On Thu, Feb 25, 2021 at 2:29 PM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I'd prefer that we tie this to a date related to when the domain > validations are done, or perhaps 2 statements. As it stands (and as others > have commented), on July 1 all customers will immediately need to validate > all domains that were done between 825 and 397 days ago, so a huge number > all at once for web site owners and for CAs. > Isn't this only true if CAs use this discussion period to do nothing? That is, can't CAs today (or even months ago) have started to more frequently revalidate their customers, refreshing old validations, helping transition customers to automated methods, etc? That is, is the scenario you described inherently bad, or just a consequence of CA inaction? And is the goal to have zero impact, or, which your proposal seems to acknowledge, do we agree that some impact is both reasonable and acceptable, and the only difference would be the degree? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
